feature request : ability to overide discovery endpoint #439
Comments
|
I think ProviderConfig is what you're looking for? https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc#ProviderConfig.NewProvider |
|
i've seen that, but no this oblige to overide all endpoint (and also the Algorithms).
func (p *ProviderConfig) NewProvider(ctx context.Context) *Provider {
return &Provider{
issuer: p.IssuerURL,
authURL: p.AuthURL,
tokenURL: p.TokenURL,
deviceAuthURL: p.DeviceAuthURL,
userInfoURL: p.UserInfoURL,
jwksURL: p.JWKSURL,
algorithms: p.Algorithms,
client: getClient(ctx),
}
}all the attributes must be set without that is not working (there are not defaulted to the discovery)... in the discovery version Line 208 in 0fe9887 |
|
I think it would be useful to have a |
|
The discovery URL has spec defined semantics for deriving it from the issuer
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig If the discovery endpoint is at a different URL or returns incorrect value, please use ProviderConfig instead to specify these values. https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc#ProviderConfig We've had a lot of issues with providers doing non-spec compliant things with discovery (#344), and that API is the solution. I believe that covers this use case. If your provider is doing something odd, please parse its discovery doc and use those values to fill in ProviderConfig. I really don't want to add more API surface for off spec providers. |
is generally not possible to do, because the discovery url generally expose all there endpoing the same fqdn (the idp fqdn). if you use public discovery url for application hosted in private network (but publicly exposed with public load balancer) that not have internet access your application cannot abel to call userinfo endpoint from the private network.
but ProviderConfig oblige to overid all provider information, generaly you need to overide endpoint that are call between oidc application SP with the idp like UserInfoURL, TokenURL, JWKSURL when the application and the idp are hosted in private network, tho avoid to go to front internet exposition. Generaly you don't need to overide Algorithms (you need to use the who the idp know)... |
This PR adds JSON tags to allow parsing a ProviderConfig directly from the OpenID Connect JSON metadata document. Since this is the preferred workaround for providers that don't support discovery in a spec-compliant way, such as returning the wrong issuer, or requiring a URL parameter, make this path easier and add an example to the godoc. Updates coreos#445 Updates coreos#444 Updates coreos#439 Updates coreos#442 Updates coreos#344 Fixes coreos#290
This PR adds JSON tags to allow parsing a ProviderConfig directly from the OpenID Connect JSON metadata document. Since this is the preferred workaround for providers that don't support discovery in a spec-compliant way, such as returning the wrong issuer, or requiring a URL parameter, make this path easier and add an example to the godoc. Updates coreos#445 Updates coreos#444 Updates coreos#439 Updates coreos#442 Updates coreos#344 Fixes coreos#290
This PR adds JSON tags to allow parsing a ProviderConfig directly from the OpenID Connect JSON metadata document. Since this is the preferred workaround for providers that don't support discovery in a spec-compliant way, such as returning the wrong issuer, or requiring a URL parameter, make this path easier and add an example to the godoc. Updates coreos#445 Updates coreos#444 Updates coreos#439 Updates coreos#442 Updates coreos#344 Fixes coreos#290
This PR adds JSON tags to allow parsing a ProviderConfig directly from the OpenID Connect JSON metadata document. Since this is the preferred workaround for providers that don't support discovery in a spec-compliant way, such as returning the wrong issuer, or requiring a URL parameter, make this path easier and add an example to the godoc. Updates #445 Updates #444 Updates #439 Updates #442 Updates #344 Fixes #290
|
Your merge #446 looks functional! But why add the json tags to ProviderConfig instead of making providerJSON public or using ProviderConfig instead of providerJSON? Or add a NewProviderConfig function that would use the existing NewProvider code to do the discovery and have NewProvider use this function?! This way we could use it to do the discovery and possibly modify the endpoints returned in the ProviderConfig structure before using it to create the Provider with NewProvider. func NewProviderConfig(ctx context.Context, issuer string) (*ProviderConfig, error) {
// the old NewProvider code
// but return ProviderConfig rather than Provider
return &ProviderConfig {
IssuerURL: issuerURL,
AuthURL: p.AuthURL,
TokenURL: p.TokenURL,
DeviceAuthURL: p.DeviceAuthURL,
UserInfoURL: p.UserInfoURL,
JWKSURL: p.JWKSURL,
Algorithms: algs,
// with the possibility of adding rawClaims in ProviderConfig
// rawClaims: body,
client: getClient(ctx),
}, nil
} |
|
Hey @mcarbonneaux, Off spec providers have many different ways they supply users these values. You're describing one way for one provider, but I don't think this package needs to make a convenient API for every bespoke implementation. If there's anything you can't do with the current API, please do open an issue and we can work through that. If you find the current API clunky, please open a bug against your provider to correctly implement the discovery spec. I'm not trying to make this too inconvenient for you, but server implementations need to bear some responsibility here. This can't be all on the clients. Eric |
actualy the oidc client support only full discovery, but some time when you have dual exposition of your idp (internet and private), and if the client application are executed on private network you need to overide userinfo to go through private network to access to the idp.
in this case we need the ability to overide all the provider endpoint url.
like to add setter to all the discovered url after Provider initialisation.
like that:
The text was updated successfully, but these errors were encountered: